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1 Introduction 

Many methods and tools for the fully automatic analysis of security protocols are 
based on a technique called constraint solving (see, e.g., |ll!7p . which as a central 
component involves a unification algorithm. The first methods and tools for the 
analysis of security protocols assumed the message space to be a free term algebra. 
However, this is a too idealized assumption in case the protocols employ operators in- 
volving algebraic properties, such as the exclusive or (XOR), an operator frequently 
used in security protocols. In j 1I8| it was shown that the security, more precisely 
secrecy and authentication, of protocols is still decidable w.r.t. a bounded number 
of sessions, even NP-complete @], when taking algebraic properties of XOR into 
account. However, these results do not yield practical algorithms. A first algorithm 
based on constraint solving and tailored towards efficient implementation was pro- 
posed by Chevalier [3]. However, a prerequisite for this algorithm to be of practical 
use is a unification algorithm for a combination of the equational theory -Eacun 
(modeling algebraic properties of XOR) and an equational theory E st d modeling 
public/private keys which works well in practice. The goal of the present work is to 
provide such an algorithm. 

A unification algorithm for E = E st d U -Eacun can easily be obtained by the 
general combination method proposed by Baader and Schulz p^, since unification 
algorithms for E st d and Eacun exist. However, this unification algorithm would be 
highly non-deterministic and therefore not directly suitable for practical use. Several 
optimizations have been proposed. First, Baader and Schulz pQ already suggested 
simple optimizations. More sophisticated optimizations, called iterative and deduc- 
tive method, were presented by Kepser and Richts jl(J|. who exploit concrete prop- 
erties of the theories, like collapse-freeness, to limit the non-determinism. Another 
combination method, along with optimizations, was proposed by Boudet [2]. How- 
ever, the settings in all of these works are still quite general and their optimizations 
do not suffice for our purposes. 

In this paper, we propose a unification algorithm for the theory E which com- 
bines unification algorithms for i? s td and -Eacun but compared to the more general 
combination methods mentioned above uses specific properties of the equational the- 
ories for further optimizations. Our optimizations drastically reduce the number of 
non-deterministic choices, in particular those for variable identification and linear 
orderings. This is important for reducing both the runtime of the unification algo- 
rithm and the number of unifiers in the complete set of unifiers. We emphasize that 
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obtaining a "small" set of unifiers is essential for the efficiency of the constraint 
solving procedure within which the unification algorithm is used. 

Outline of the Paper. In the following section, we briefly recall the combination 
algorithm by Baader and Schulz along with the optimizations proposed by Kepser 
and Richts. In Section our unification algorithm is introduced, with experimental 
results presented in Section^] We conclude in Section^ Further details can be found 
in a technical report |13| . 

2 The General Combination Algorithm 

In this section, we briefly describe the general combination method of Baader and 
Schulz PP and optimizations introduced by Kepser and Richts ^U] as our algorithm 
is based on £Q and some optimizations are motivated by |10|. 

Given disjoint equational theories E\ and E<i and stand-alone unification algo- 
rithms A\ and Ai for E\ and E2, respectively, which work with linear constant 
restrictions (see below) the combination method of Baader and Schulz combines A\ 
and A2 to obtain a unification algorithm for the joined theory E = E\ U E<x- More 
precisely, given an elementary ^-unification problem r, the combination method 
works as follows: 

1. Purification and splitting. Obtain the sub-problems with x £ {1,2}, by 
purifying terms and splitting equations for each theory E x . (Non-pure terms or 
equations are those containing symbols of different theories.) 

2. Variable identification. Choose a partition (i.e., equivalence classes) on vari- 
ables for each x £ {1,2}. Let I^z be the sub-problem obtained from ri iX 
by replacing each variable by a representative of its class. 

3. Choose theory indices. For each variable v in V choose a theory index Ind(v) £ 
{1,2} where V is the set of variables occurring in both Z^i and I2 2. If in ^2,1 
a variable has theory index 2 it is considered a constant in J^i; analogously for 

^2,2- 

4. Choose linear ordering. Choose a linear ordering < on V. (Together with 
3., the linear ordering < induces what Baader and Schulz call a linear constant 
restriction.) 

5. Solve systems. For each theory E x , the algorithm A x is applied to and < 
to produce a complete set C x of unifiers respecting <, where a unifier a respects 
< if x < y implies that y does not occur in xa for every x, y £ V. 

6. Combine unifiers. If C\ or C2 are not empty, combine the unifiers of C\ with 
those of C2 to obtain a set of .E-unifiers of F. Go back to 2. to try other choices 
(in order to obtain further unifiers). 

Theorem 1. The set of E -unifiers produced by the combination method above 
form a complete set of E -unifiers of the E -unification problem T. 

The major disadvantages of the general combination method are its high degree of 
non-determinism and the non-detection of failures before the last step. This results 
in poor runtime behavior and sets of unifiers that are far from minimal. 

The main idea of the optimizations of Kepser and Richts ^U] are to first make all 
non-deterministic decisions for one component in order to detect failures as soon as 
possible (iterative method) and to use constraints obtained by solving one component 
for reducing the number of remaining non-deterministic choices (deductive method) . 
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3 Our Optimized Algorithm 

We now present our unification algorithm for the equational theory E — E st d U 
-Eacun where -E st d = {x ~ (a; -1 ) -1 } with • modeling a mapping between public 
and private keys and Eacun = {x © (y © z) w (x © y) © z, x © y « y © x, x © w 
« 0} for modeling the XOR operator. The theory £ 8t( j is associated with a 
signature containing finitely many free symbols of arbitrary arity, including constants 
or binary symbols for pairing {•, •) and encryption {•}.. The signature associated with 
-Eacun is {©,0}. We note that both E st d and -Eacun are unitary for elementary 
unification and efficient unification algorithms exist for both theories. However, it is 
not hard to see that E is not unitary; by Theorem \I\E is finitary. Unification for E 
can easily be shown to be NP-complete using results in [§]. 

In what follows, we summarize the main optimizations of our algorithm compared 
to those discussed in the previous section, along with brief justifications of their 
correctness. Our optimizations employ specific properties of the equational theories 
under consideration and they reduce both the runtime and the size of complete 
unification sets. 

Simplified iterative and deductive method. Similar to Kepser and Richts, we 
employ the idea of the iterative and deductive method but apply it only once to 
i^std- That is, we first solve the Estd-unincation problem without any constraints. If 
this fails, the original problem is unsolvable. Otherwise, we obtain an mgu o~ s td used 
in subsequent steps to reduce the number of non-deterministic choices. Since typi- 
cally the _EACUN-unification problem will not yield further constraints, we postpone 
solving this unification problem to a later point. 

Hierarchy of variable identifications. A major new optimization in our algo- 
rithm is that we do not have to iterate over all possible variable identifications. If 
unification for both E st d and Eacun succeeds for some variable identifications p and 
p' where p is more general than p' , then the combined unifier for p is more general 
than the one for p' . This can be shown using the following property of -Eacun: 

Lemma 1. Every mgu of a E acun -unification problem with linear constant restric- 
tion is also an mgu of this unification problem without restrictions. 

The above property on variable identifications allows us to traverse the tree of vari- 
able identifications in a breadth-first manner and skip all less general variable iden- 
tifications once we succeed in solving the problem for a more general one. 

Reduce number of choices of indices. Most theory indices can be determined 
from (T s td- If a variable is instantiated by a term with a collapse- free top-symbol, 
then this variable has to be a constant in /acun- On the other hand, if x is not 
instantiated by cr s td and if there exists no variable y with yo~ s td = x^ 1 , then it 
does not matter whether x is treated as a constant in E st d or not. In fact, a non- 
deterministic choice of theory indices must only be made for variables x and y such 
that xa s td = y~ x and ya s td = y- Of course, not both can be constants in E st d, so it 
suffice to choose one of them. 

Reduce number of choices of linear orderings. Instead of choosing an ar- 
bitrary linear ordering on V (see Section [5J , we first deduce (deterministically) a 
partial ordering < po from er st d such that x < po y iff y occurs in cc<7 s td- Now, the 
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Table 1. Runtimes and sizes of complete sets of unifiers: "size" denotes the size 
of the returned complete set of unifiers; "vi opt" stands for "variable identification 
optimization" ; x, y, z, u, Xi are variables and a, 6, c, d, e are constants. Runtime tests 
obtained on a 1.5 GHz Intel Pentium M processor. 
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important observation is that by Lemma ^ once we have found a solution of the 
-EACUN-vmification problem w.r.t. a linear ordering < which extends < po , we do not 
need to try other linear orderings. 

Theorem 2. The algorithm described above returns a complete set of E -unifiers for 
a given E -unification problem. 

We note that the optimizations explained above are fairly independent of the theory 
-E s td- Hence, E s td can easily be replaced by other theories. 

4 Experimental Results 

Table n summarizes some of our experimental results (see |13| for more). It contains 
runtimes and sizes of complete sets of unifiers both with the optimization for variable 
identification turned on and off. (The other optimizations are harder to turn on and 
off in our implementation, which is why these optimization are always turned on.) 
These results show that our unification algorithm runs efficiently on many bench- 
marks and that our optimizations indeed reduce both runtime and size of complete 
sets unifiers. In fact, the optimized version of our algorithm always returned minimal 
sets of unifiers. (However, we have no proof that this is always the case.) 

Problem 1 in Table ^ is a unification problem that occurs in the analysis of 
the recursive authentication protocol |12j . Interestingly, while our algorithm quickly 
returns an mgu, the version of the algorithm with the optimization for variable 
optimization turned off does not come back with a solution within 30 minutes. The 
two versions of the algorithm also perform very differently on problem 2. There 
is no difference in problem 3 since this problem is not unifiable, and hence, the 
algorithm has to try all possible variable identifications. Problems 4 and 5 are only 
of theoretical interest, they typically do not occur in applications but illustrate the 
limitations of optimizations. Note that in problems of this form the size of a minimal 
complete set of unifiers may be exponential in the size of the problems. 



5 



5 Conclusion 

Motivated by the analysis of security protocols, we have presented a unification 
algorithm for an equational theory including ACUN. Our algorithm contains several 
optimizations which make use of the specific properties of the equational theories at 
hand and performs well on practical examples, both in terms of its runtime and the 
size of the complete set of unifiers returned. As such, our algorithm is well-suited as 
a subprocedurc in constraint solving algorithms for security protocol analysis with 
XOR. 

One future direction is to incorporate other operators and their algebraic proper- 
ties into our algorithm, including important operators such as Diffie-Hellman Expo- 
nentiation and RSA encryption. In |5lfi| . it was shown that fully automatic analysis 
of security protocols is also possible in presence of such operators. 
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